Practical fallout of Snowden's acts

Published June 27. 2013 12:01AM

David Ignatius

Congress and the courts will sort out the big questions about privacy and surveillance posed by Edward Snowden's disclosure of National Security Agency monitoring programs. In the meantime, there are some nagging smaller questions raised by this hemorrhage of secrets.

These mundane questions interest me partly because the big privacy issues don't seem all that shocking. In more than 34 years of traveling regularly overseas, I have assumed that foreign intelligence services are picking my communications clean; in recent years, commercial Internet companies track most of us everywhere we go electronically. Privacy in the traditional sense doesn't exist.

It bothers me, too, that the programs Snowden leaked seem to have been lawful, enacted by Congress and subject to congressional and court review. Snowden looks these days more like an intelligence defector, seeking haven in a country hostile to the United States, than a whistle-blower.

But whatever we may think about his revelations, they are a now a fact of business and political life. Here are three contrarian issues worth considering:

(1) Did Snowden kill the "cloud"? Some analysts have speculated that the revelation of NSA snooping into Internet messages will cause problems for U.S. companies that rent out storage in their "cloud" of servers. Long before Snowden, two European cloud companies were pitching in their advertising "safe haven from the reaches of the U.S. Patriot Act," according to former NSA attorney Stewart Baker's blog, "Skating on Stilts."

Certainly the stock market doesn't see any big loss of value, post-Snowden. Amazon and Microsoft, two big cloud providers, are trading close to where they were in early June, before the world had heard of Snowden. Goldman Sachs isn't going to store its trading algorithms in the cloud, but it wouldn't have done so anyway. As Joel Brenner, the former inspector general of NSA, told me: the computing world has different kinds of clouds, at different levels and privacy protections. And the cost and efficiency benefits of cloud computing are overwhelming. So, no, the cloud probably isn't dead.

(2) Where does the Internet live? Not so simple: The Internet, as we imagine it, is a borderless space. But the stream of bits is subject to collection when it's in motion, through fiber-optic cables, mostly; and when it's at rest, in servers. Whose laws apply in these spaces?

Some of Snowden's most damaging revelations concern collection of data moving through Internet "backbones." The Guardian revealed a program known as "Tempora," run by the British equivalent of the NSA, that was said to be able to survey metadata travelling on 1,500 of the 1,600 high-capacity cables passing through the U.K., and to be actively sharing this information with the NSA.

The South China Morning Post revealed an NSA program to tap Internet backbones in Beijing and Hong Kong. No surprise, really, this is what intelligence agencies do. But as an American, I want to be sure that whatever foreign laws the NSA may break to keep us safe, it won't violate U.S. law.

Data "at rest" in servers also poses an interesting puzzle. Does the U.S. company Amazon control data stored in servers that are located in, say, Germany? Or will Germany and other nations now impose "Digital Residency Requirements," that make Internet data stored there subject to local law? The "big data" business is likely to get more complicated, either way.

(3) Can the government protect secrets? After the Snowden and WikiLeaks revelations, the answer would obviously seem to be "no." This raises problems even for people who aren't particularly worried about "Big Brother" issues.

Let's assume that (like me) you trust the government's discretion with personal information more than that of a commercial concern such as Facebook. But if the government can collect our secret information (even under a lawful procedure), this means that some disgruntled person within the government could decide to leak those secrets - to damage an individual, company or nation.

Paradoxically, privacy advocates should have the greatest interest in the government's ability to protect secrets - and keep tax and medical records, email traffic or other records private. But the Snowden or WikiLeaks revelations suggest that this is a losing battle. We may trust the U.S. government in the abstract, but the evidence suggests we can't trust the malcontents and self-appointed do-gooders who may get security clearances.

If there's an IT solution to the problem of unauthorized access and disclosure (including by Chinese malware) that will be a good business. Perhaps Snowden can form a consulting company in Ecuador.